ivuorinen/gh-action-readme
1
0
Fork 0
mirror of https://github.com/ivuorinen/gh-action-readme.git synced 2026-01-26 03:04:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
5d671a9dc09c0d980f6d6c14da6f1b8753899052
gh-action-readme/docs/security.md
Ismo Vuorinen 3fbb608f9f feat: update go version, renovate config, tooling, fixes (#28) 
* feat(deps): update go version, renovate config, tooling

* chore(deps): update google/go-github to v74

* feat(deps): migrate from yaml.v3 to goccy/go-yaml

* chore(deps): update goccy/go-yaml to v1.18.0 and address security concerns

* feat: improve issue templates and project configuration

- Update GitHub issue templates with CLI-specific fields for better bug reports
- Add specialized templates for documentation, theme, and performance issues
- Update pre-commit config to include comprehensive documentation linting
- Remove outdated Snyk configuration and security references
- Update Go version from 1.23+ to 1.24+ across project
- Streamline README.md organization and improve clarity
- Update CHANGELOG.md and CLAUDE.md formatting
- Create comprehensive CONTRIBUTING.md with development guidelines
- Remove TODO.md (replaced by docs/roadmap.md)
- Move SECURITY.md to docs/security.md

* docs: fix markdown linting violations across documentation

* fix: resolve template placeholder issues and improve uses statement generation

* fix: remove trailing whitespace from GitHub issue template
2025-08-07 05:22:44 +03:00

4.7 KiB
Raw Blame History

Security Policy

Supported Versions

We provide security updates for the following versions of gh-action-readme:

Version Supported
latest
< latest

Reporting a Vulnerability

We take security vulnerabilities seriously. If you discover a security issue in gh-action-readme, please report it responsibly.

How to Report

  1. Do NOT create a public GitHub issue for security vulnerabilities
  2. Send an email to security@ivuorinen.dev with:
  • Description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact assessment
  • Any suggested fixes (if available)

What to Expect

  • Acknowledgment: We'll acknowledge receipt of your report within 48 hours
  • Investigation: We'll investigate and validate the report within 5 business days
  • Resolution: We'll work on a fix and coordinate disclosure timeline
  • Credit: We'll credit you in the security advisory (unless you prefer to remain anonymous)

Security Measures

Automated Security Scanning

We employ multiple layers of automated security scanning:

  • govulncheck: Go-specific vulnerability scanning
  • Trivy: Container and filesystem security scanning
  • gitleaks: Secrets detection and prevention
  • CodeQL: Static code analysis
  • Dependabot: Automated dependency updates

Secure Development Practices

  • All dependencies are regularly updated
  • Security patches are prioritized
  • Code is reviewed by maintainers
  • CI/CD pipelines include security checks
  • Container images are scanned for vulnerabilities

Supply Chain Security

  • Dependencies are pinned to specific versions
  • SBOM (Software Bill of Materials) is generated for releases
  • Artifacts are signed using Cosign
  • Docker images are built with minimal attack surface

Security Configuration

For Users

When using gh-action-readme in your projects:

  1. Keep Updated: Always use the latest version
  2. Review Permissions: Only grant necessary GitHub token permissions
  3. Validate Inputs: Sanitize any user-provided inputs
  4. Monitor Dependencies: Use Dependabot or similar tools

For Contributors

When contributing to gh-action-readme:

  1. Follow Security Guidelines: See CONTRIBUTING.md
  2. Run Security Scans: Use make security before submitting PRs
  3. Handle Secrets Carefully: Never commit secrets or API keys
  4. Update Dependencies: Keep dependencies current and secure

Known Security Considerations

GitHub Token Usage

gh-action-readme requires GitHub API access for dependency analysis:

  • Uses read-only operations when possible
  • Respects rate limits to prevent abuse
  • Caches results to minimize API calls
  • Never stores or logs authentication tokens

Template Processing

Template rendering includes security measures:

  • Input sanitization for user-provided data
  • No execution of arbitrary code
  • Limited template functions to prevent injection

Security Tools and Commands

Local Security Testing

# Run all security scans
make security

# Individual scans
make vulncheck  # Go vulnerability check
make trivy      # Filesystem scanning
make gitleaks   # Secrets detection

# Security audit
make audit      # Comprehensive dependency audit

CI/CD Security

Our GitHub Actions workflows automatically run:

  • Security scans on every PR and push
  • Weekly scheduled vulnerability checks
  • Dependency reviews for pull requests
  • Container image security scanning

Security Best Practices for Users

GitHub Actions Usage

# Recommended secure usage
- name: Generate README
  uses: ivuorinen/gh-action-readme@v1
  with:
    github-token: ${{ secrets.GITHUB_TOKEN }}
    # Limit token permissions in workflow
  permissions:
    contents: read
    metadata: read

Local Development

# Install security tools
go install golang.org/x/vuln/cmd/govulncheck@latest
# Install trivy: https://aquasecurity.github.io/trivy/
# Install gitleaks: https://github.com/gitleaks/gitleaks

# Run before committing
make security

Incident Response

In case of a security incident:

  1. Immediate Response: Assess and contain the issue
  2. Communication: Notify affected users through security advisories
  3. Remediation: Release patches and updated documentation
  4. Post-Incident: Review and improve security measures

Security Contact

For security-related questions or concerns:

  • Email: security@ivuorinen.dev
  • PGP Key: Available upon request
  • Response Time: Within 48 hours for security issues

This security policy is reviewed quarterly and updated as needed to reflect current best practices and threat landscape.